The wait is finally over!
Anamanaguchi’s Endless Fantasy looks….pretty trippy! Splattered vinyl for the win.
Anamanaguchi did the fabulous chiptune soundtrack the 16-bit styled Scott Pilgrim vs. The World: The Game brawler from 2010. While electronic on vinyl isn’t my preferred format, they’ve done an awesome job with the presentation on this project.
You can listen into some tracks from the album at the band’s Soundcloud.
Not long ago, I promised a nephew I’d write up an email for him about opening his first bank account and learning how to manage his own finances. As I thought on it, I wanted to kick it off with a section on how to make sure his own password security is in order before he starts adding monied accounts to the mix. Then I thought about everyone who would benefit from the same thing and that list clocked in at just about every human being I know.
Why Does This Matter?
The weakest link in any security system is the human being: you and me. Hackers’ feats are glorified by Hollywood and the news media, but more often than not the way they win is by exploiting a person and not technology.
As far as the hacker is concerned, you are the first, last, and only line of defense between him and something of value. It’s more than just Twitter and Facebook accounts (though those have black market value as well) — it’s your money, and there’s more ways to get at that then just through your bank’s website. And your passwords are literally the key.
Hackers Don’t Care About Me…
They do, and they rely on your complacency and your assumption that you aren’t a target to take advantage of you.
Here’s why you are a target:
- Money: You don’t have to be a millionaire or even a ten-thousandaire to be worth robbing. Criminal networks are very good at stealing small amounts of money and, when you funnel it all into together it’ll fill Scrooge McDuck’s money bin.
- Email Accounts: When you reset your password, you get a reset code sent to your email. So if a hacker gets your email account password, they get just about all of your accounts. Even if you really truly have nothing of value, your email account can be used as a spambot to help them commit other acts of theft.
- Retail Accounts: Ever buy anything online? Does that retailer save your credit card information? Feel like buying gift cards for a hacker? Didn’t think so. This applies to stuff like your Apple ID too. Chances are, a lot of your accounts have ended up with your credit card on file.
OK, I Get It. I’m a Target. What’s the Defense?
There are three main principles to better passwords and better protection of your accounts:
- Longer passwords are stronger
- Complex passwords are stronger
- Reusing your passwords make them weaker
The first two have to do with an attacker’s ability to guess a password by brute force.
First, consider password length. Think of it like guessing a 3-digit luggage code. You’d start with 000, then 001, then 002… 10 digits per dial, three dials, that’s 10^3 = 1,000 total combinations, and you won’t have to search all of them. What if you had 5 dials? With 10^5 = 100,000 combinations the average search time will take a lot longer. The more dials, the harder it is to guess.
Now, complexity. What if the dials also had upper case letters? We’ve got 26 letters plus 10 digits… that’s 36 options per dial. Now our five dial system has 36^5 options, which is 60,466,176 total combinations. The more things on each dial, the harder it is to guess.
Is That Why Websites Make Me Use Upper Case, Lower Case, Digits, and So On?
Yes, and admittedly it sucks. Even worse, what most of these sites do is train you to make really bad passwords.
Complexity is more than just the classes of characters you use, though. Humans are predictable. Given all these hoops you have to jump through, would it be fair to admit that you’ve got a few passwords that look like this: GoTitans1!
Attackers’ have figured that out too. They’ll use dictionary attacks that try words and phrases with permutations of this kind of requirement satisfying tack-ons before they ever attempt a naive brute fore (e.g. “aaaaa”).
But, “GoTitans” Isn’t In the Dictionary…
Not Websters’, no. Hackers make their own dictionary to test in password permutations, and you can bet your butt every sports team in the country make the cut.
But, They System Locks My Account After A Few Failed Attempts!
This is where the third point comes in. They don’t need to attack that system directly.
You’ll see in the news where major websites have their password databases stolen. Sony Music, LinkedIn… These websites don’t store the passwords in plain text — they use hashes, which are the output of a one-way encryption that can’t be “un-hashed”. But there’s a catch.
When these websites are compromised, the attackers will safe and distribute the database of password hashes as quickly as they can get to it and then attack them offline later.
In many cases, the hash function is simplistic and deterministic. The same input always gives the same output. So, an attacker can hash “aaaaa”, and then compare that value to the one in the database. If it matches, they’ve discovered that password.
Computers have gotten so fast that brute forcing stolen credentials this way is very efficient. They can tear through a huge database of credentials in minutes with a high success rate.
LinkedIn Made Me Change My Password, So It’s Okay, Right?
At LinkedIn, yes. But did you use that same password at any other website?
Somewhere, someone has a record that your email address is associated with such-and-such password. If you’re using that same password elsewhere, they have your password to that website. And it doesn’t take a genius to think to guess that combination.
They can now attack another website and blindly try your known username/email address and password to get in and empty your account.
You can check https://shouldichangemypassword.com/ to find out if your widely-reused password is already compromised. Never give a website you don’t know your username and password to a different service — this site is alright because it only uses your email address as a key.
If you use the same key in all of your locks, then I only need to compromise one key to get access to anything I know (or suspect) is yours. To avoid this, you need to not reuse passwords from site to site, the third point up above.
The bar is set pretty high, and it only gets higher as the days go by. You’ve never had more sensitive information resident on the Internet before today. Tomorrow, there’ll be even more.
My next post will detail how you can change your habits around passwords to protect yourself.
I received my @kickstarter backed copy of Soul of Science (plus rewards) by Daniel Martin Diaz last week!
Today, families gathered in one of America’s oldest, greatest cities to support their loved ones as they accomplish something incredible, something they’re already had to work very hard to even attempt. For some, it was another run in the city. For others, it was a first.
A marathon is a celebration of life. The legend, of course, is that an Athenian soldier ran all the way from Athens to the allied city-state of Marathon - 26.2 miles - to warn them of an impending invasion. The soldier arrived in time, but collapsed dead after gasping his precious message. To run this kind of distance is no easy feat. To run it competitively is nothing short of amazing. But whether you finish in 2:15 or 5:21, it’s a feat that should be celebrated.
Some of these families will be going home without everyone. Literally unwhole. Their faith and their support has been repaid with senseless bloodshed.
I can’t pretend like today’s events in Boston haven’t affected me pretty deeply, much more so than these things usually do. I can’t help but be incredibly angry about this, because it’s not just people like me that were being targeted — it’s the people whom I love and who support me that were targeted.
Not in Boston, but I’ve been there… Four hours into the race with family waiting by the finish line. Yes, in a very real sense, that could have been me and mine. And that makes me very, very angry.
As I write this, we’ve reached the “no-nothing” phase of news coverage. We aren’t learning anything new, but the incessant review of the carnage and the footage and the footage of the carnage must carry on.
It’s not that I don’t care anymore, it’s that I’m already exhausted. I’d like to know why, but I wish we could continue learning about this horrible affair without giving the perpetrators the attention they do not deserve.
I work in network and application security, so you’d think I’d have my home in order. And when it comes to my digital presence, you’d be right. But my home? Well, let’s just say that’s been a lesson learned…
A couple of weeks ago, my wife and I left work ad the end of the day and arrived home to find our garage door opener wasn’t responding to the remote. While that was puzzling, there’s plenty of plausible explanations for that. Maybe the power was out, or the battery in the remote died… So, we walked up to the front door to let ourselves in the old fashioned way.
The front door had been pried open but left propped mostly closed behind the storm door. It was immediately obvious that we’d been robbed.
As we looked around the house and assessed what had happened, a few things became clear:
- The thieves had gone into the garage, pulled the emergency release on the door opened, and used that to get a vehicle in and out to buy themselves more time.
- The thieves had a set list of items they were looking for: TVs, computers, guns, gemstones, watches - things they could fence easily. Items not in their list they left alone.
- They avoided things with extensive cords or wires. They took a laptop and its power brick, but left a superior desktop sitting immediately besides it. They took the audio receiver and DVD player, but left the speakers.
As we worked with the county sheriff’s office, we learned that the crew that had hit us had also hit at least three other houses in the general area that day — all during broad daylight.
And despite the obvious pain points, we were lucky. All of the stuff taken was just that — stuff. Thanks to the thieves’ selectiveness we didn’t lose anything of sentimental value, nothing that couldn’t be replaced by insurance.
So, I’ve learned an important lesson about home security. I wouldn’t be a good Samaritan if I didn’t share a few tidbits of knowledge…
DINKs are an Easy Target
Dual Income, No Kids. It means you’re pulling in the bank, but you’re not investing it into a mini-you. It also means your house is probably conspicuously vacant during the weekday.
We heard neighbors mention that, prior to the break-in, some folks were going door-to-door to solicit a new lawn care business, but they didn’t have a brochure, a flyer, or a business card. This was probably the casing job, and it would have been easy to identify that no one was at home during regular business hours.
Your Neighbors Aren’t a Theft Deterrent
You can’t count on your neighbors to provide an ambient deterrent. There’s way too many situations where they just won’t be there to see something happening at your house. My most reliably nosy neighbor was away on errands (though, to hear her tell it, she is terrified for her personal safety because she’s at home all day). Besides, it’s not you can expect them to be glued to their windows, watching your house. Even if they do, will they realize there’s a theft in progress? Will they react in a timely fashion?
Get A Monitored Security System
You aren’t home, your neighbors aren’t watching your house… so do something! Get yourself a monitored security system.
First place I looked was the ever-ubiquitous ADT, but after quite a lot of research, I settled on SimpliSafe. For just $25/month, I get the top tier of their monitoring service. That gets me all the remote access I want, a smartphone app, and a number of other really nice features. That’s $10 cheaper than ADT’s least expensive and least featured option. True, I didn’t get a $100 install deal. It was quite a bit more up front and it was self-install. Personally, I prefer that to yet another stranger sussing out the soft spots in my home’s security.
The install price pays for itself in time anyway. Having a monitored system gets me a $28/month discount on my homeowner’s insurance, and I haven’t even added fire sensors yet. Once I do, that discount increases. At that rate, the installation will be paid for inside of two years’ time.
Once you’ve got it installed, train yourself to use it. I’ve got a reminder on my iPhone to arm the system set to trigger whenever I leave.
Deadbolts Really Are A Must
I’d always wondered a little bit how much of a difference deadbolts would make. Turns out, it makes all the difference. The thieves went through our front door in seconds with a crowbar because there was no real reinforcement there that would stand up to that kind of force.
The seeds of theft, both digital and physical, are usually the identification of weak points. At work, I’ll call it low hanging fruit. Unless there’s strong motivation to target a specific someone, thieves don’t want to have to work hard. If a target is difficult to rob, they won’t.
Having a deadbolt in each of your entryways make your house a high-hanging fruit.